add convenience endpoint, merge fix

breardon2011 · breardon2011 · commit 503f4b1ccf4a · 2025-10-24T07:55:47.000-07:00
diff --git a/taco/internal/api/internal.go b/taco/internal/api/internal.go
@@ -36,9 +36,18 @@ func RegisterInternalRoutes(e *echo.Echo, deps Dependencies) {
 	internal := e.Group("/internal/api")
 	internal.Use(middleware.WebhookAuth())
 	
-	// Validate org UUID from webhook header and add to domain context
-	internal.Use(middleware.WebhookOrgUUIDMiddleware())
-	log.Println("Org UUID validation middleware enabled for internal routes")
+	// Add org resolution middleware - resolves org UUID or external ID to UUID and adds to domain context
+	if deps.QueryStore != nil {
+		if db := repositories.GetDBFromQueryStore(deps.QueryStore); db != nil {
+			// Create identifier resolver (infrastructure layer)
+			identifierResolver := repositories.NewIdentifierResolver(db)
+			// Pass interface to middleware (clean architecture!)
+			internal.Use(middleware.ResolveOrgContextMiddleware(identifierResolver))
+			log.Println("Org context resolution middleware enabled for internal routes (UUID and external org ID)")
+		} else {
+			log.Println("WARNING: QueryStore does not implement GetDB() *gorm.DB - org resolution disabled")
+		}
+	}
 
 	// Organization and User management endpoints
 	if orgRepo != nil && userRepo != nil {
@@ -48,6 +57,7 @@ func RegisterInternalRoutes(e *echo.Echo, deps Dependencies) {
 		// Organization endpoints
 		internal.POST("/orgs", orgHandler.CreateOrganization)
 		internal.POST("/orgs/sync", orgHandler.SyncExternalOrg)
+		internal.GET("/orgs/user", orgHandler.GetMyOrganizations) // Get orgs for user - no org context required
 		internal.GET("/orgs/:orgId", orgHandler.GetOrganization)
 		internal.GET("/orgs", orgHandler.ListOrganizations)
 		
diff --git a/taco/internal/api/org_handler.go b/taco/internal/api/org_handler.go
@@ -355,6 +355,71 @@ func (h *OrgHandler) GetOrganization(c echo.Context) error {
 	})
 }
 
+// GetMyOrganizations handles GET /internal/orgs/user
+// Returns organizations for the current user (no org context required)
+// Requires: X-User-ID and X-Email headers with webhook secret authentication
+func (h *OrgHandler) GetMyOrganizations(c echo.Context) error {
+	ctx := c.Request().Context()
+	
+	// Get user context from webhook middleware
+	userID := c.Get("user_id")
+	if userID == nil {
+		return c.JSON(http.StatusBadRequest, map[string]string{
+			"error": "user context required",
+		})
+	}
+	
+	userIDStr, ok := userID.(string)
+	if !ok || userIDStr == "" {
+		return c.JSON(http.StatusInternalServerError, map[string]string{
+			"error": "invalid user context",
+		})
+	}
+	
+	// Get all organizations
+	allOrgs, err := h.orgRepo.List(ctx)
+	if err != nil {
+		slog.Error("Failed to list organizations for user", "userID", userIDStr, "error", err)
+		return c.JSON(http.StatusInternalServerError, map[string]string{
+			"error": "failed to list organizations",
+		})
+	}
+	
+	// Filter to orgs where user has roles (if RBAC is enabled)
+	var userOrgs []*domain.Organization
+	if h.rbacManager != nil {
+		for _, org := range allOrgs {
+			// Check if user has any roles in this org
+			orgCtx := domain.ContextWithOrg(ctx, org.ID)
+			hasAccess, _ := h.rbacManager.IsEnabled(orgCtx)
+			if hasAccess {
+				userOrgs = append(userOrgs, org)
+			}
+		}
+	} else {
+		// No RBAC - return all orgs
+		userOrgs = allOrgs
+	}
+	
+	// Convert to response format
+	response := make([]CreateOrgResponse, len(userOrgs))
+	for i, org := range userOrgs {
+		response[i] = CreateOrgResponse{
+			ID:            org.ID,
+			Name:          org.Name,
+			DisplayName:   org.DisplayName,
+			ExternalOrgID: org.ExternalOrgID,
+			CreatedBy:     org.CreatedBy,
+			CreatedAt:     org.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
+		}
+	}
+	
+	return c.JSON(http.StatusOK, map[string]interface{}{
+		"organizations": response,
+		"count":         len(response),
+	})
+}
+
 // ListOrganizations handles GET /internal/orgs
 func (h *OrgHandler) ListOrganizations(c echo.Context) error {
 	ctx := c.Request().Context()
diff --git a/taco/internal/auth/terraform.go b/taco/internal/auth/terraform.go
@@ -822,7 +822,9 @@ func (h *Handler) ensureUserHasOrg(ctx context.Context, subject, email string) (
     orgName := fmt.Sprintf("user-%s", subject[:min(8, len(subject))])
     orgDisplayName := fmt.Sprintf("%s's Organization", email)
 
-    org, err := h.orgRepo.Create(ctx, orgName, orgDisplayName, subject)
+    // Create org with orgID=orgName (the unique identifier)
+    // name=orgName (stored in DB), displayName (friendly name), no externalOrgID, createdBy=subject
+    org, err := h.orgRepo.Create(ctx, orgName, orgName, orgDisplayName, "", subject)
     if err != nil {
         return "", fmt.Errorf("failed to create org: %w", err)
     }
diff --git a/taco/internal/domain/resource_resolver.go b/taco/internal/domain/resource_resolver.go
@@ -12,7 +12,10 @@ var (
 	ErrAmbiguousIdentifier = errors.New("identifier matches multiple resources")
 	
 	uuidPattern         = regexp.MustCompile(`^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`)
-	absoluteNamePattern = regexp.MustCompile(`^org-([a-zA-Z0-9_-]+)/(.+)$`)
+	// Absolute name pattern: supports UUID, external org ID, or legacy name format
+	// Examples: "550e8400-e29b-41d4-a716-446655440000/unit-name", "auth0_org_123/unit-name", "org-acme/unit-name" (legacy)
+	absoluteNamePattern = regexp.MustCompile(`^([a-zA-Z0-9_-]+)/(.+)$`)
+	legacyOrgPattern    = regexp.MustCompile(`^org-([a-zA-Z0-9_-]+)$`)
 )
 
 type IdentifierType int
@@ -34,7 +37,9 @@ type ParsedIdentifier struct {
 // Supports three formats:
 //   - UUID: "a1b2c3d4-1234-5678-90ab-cdef12345678"
 //   - Simple name: "dev" (resolved within current org context)
-//   - Absolute name: "org-acme/dev" (explicitly specifies org)
+//   - Absolute name: "<org-uuid-or-external-id>/dev" (explicitly specifies org)
+//     Examples: "550e8400-e29b-41d4-a716-446655440000/dev", "auth0_org_123/dev"
+//     Legacy format "org-acme/dev" is also supported but deprecated (names are not unique)
 func ParseIdentifier(identifier string) (*ParsedIdentifier, error) {
 	if identifier == "" {
 		return nil, fmt.Errorf("%w: empty identifier", ErrInvalidIdentifier)
@@ -48,10 +53,18 @@ func ParseIdentifier(identifier string) (*ParsedIdentifier, error) {
 	}
 	
 	if matches := absoluteNamePattern.FindStringSubmatch(identifier); matches != nil {
+		orgIdentifier := matches[1]
+		resourceName := matches[2]
+		
+		// Strip "org-" prefix if present (legacy format)
+		if legacyMatches := legacyOrgPattern.FindStringSubmatch(orgIdentifier); legacyMatches != nil {
+			orgIdentifier = legacyMatches[1]
+		}
+		
 		return &ParsedIdentifier{
 			Type:    IdentifierTypeAbsoluteName,
-			OrgName: matches[1],
-			Name:    matches[2],
+			OrgName: orgIdentifier, // This is now UUID, external ID, or legacy name
+			Name:    resourceName,
 		}, nil
 	}
 	
diff --git a/taco/internal/middleware/org_context.go b/taco/internal/middleware/org_context.go
@@ -27,24 +27,47 @@ func JWTOrgUUIDMiddleware() echo.MiddlewareFunc {
 	}
 }
 
-// WebhookOrgUUIDMiddleware extracts org UUID from webhook header and adds to domain context
-// For internal routes (/internal/api/*) - expects UUID in X-Org-ID header
-func WebhookOrgUUIDMiddleware() echo.MiddlewareFunc {
+// ResolveOrgContextMiddleware resolves org identifier to UUID and adds to domain context
+// For internal routes (/internal/api/*) - resolves X-Org-ID header (UUID or external org ID)
+// Skips validation for endpoints that don't require an existing org (like creating/listing orgs)
+func ResolveOrgContextMiddleware(resolver domain.IdentifierResolver) echo.MiddlewareFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
-			orgUUID, ok := c.Get("organization_id").(string)
-			if !ok || orgUUID == "" {
-				log.Printf("[WebhookOrgUUID] organization_id not found in context")
+			// Skip org resolution for endpoints that create/list orgs
+			path := c.Request().URL.Path
+			method := c.Request().Method
+			
+			// These endpoints don't require an existing org context
+			skipOrgResolution := (method == "POST" && path == "/internal/api/orgs") ||
+				(method == "POST" && path == "/internal/api/orgs/sync") ||
+				(method == "GET" && path == "/internal/api/orgs") ||
+				(method == "GET" && path == "/internal/api/orgs/user")
+			
+			if skipOrgResolution {
+				log.Printf("[ResolveOrgContext] Skipping org resolution for %s %s", method, path)
+				return next(c)
+			}
+			
+			// Get org identifier from webhook auth middleware
+			orgIdentifier, ok := c.Get("organization_id").(string)
+			if !ok || orgIdentifier == "" {
+				log.Printf("[ResolveOrgContext] organization_id not found in context")
 				return echo.NewHTTPError(400, "X-Org-ID header is required")
 			}
 			
-			if !domain.IsUUID(orgUUID) {
-				log.Printf("[WebhookOrgUUID] organization_id is not a UUID: %s", orgUUID)
-				return echo.NewHTTPError(400, "X-Org-ID must be a UUID")
+			// Resolve identifier to UUID (accepts UUID or external org ID, NOT names)
+			orgUUID, err := resolver.ResolveOrganization(c.Request().Context(), orgIdentifier)
+			if err != nil {
+				log.Printf("[ResolveOrgContext] Failed to resolve org identifier %q: %v", orgIdentifier, err)
+				return echo.NewHTTPError(400, map[string]string{
+					"error": "Invalid organization identifier",
+					"details": err.Error(),
+				})
 			}
 			
-			log.Printf("[WebhookOrgUUID] Found org UUID: %s", orgUUID)
+			log.Printf("[ResolveOrgContext] Resolved %q to UUID: %s", orgIdentifier, orgUUID)
 			
+			// Add org UUID to domain context
 			ctx := domain.ContextWithOrg(c.Request().Context(), orgUUID)
 			c.SetRequest(c.Request().WithContext(ctx))
 			
diff --git a/taco/internal/middleware/webhook.go b/taco/internal/middleware/webhook.go
@@ -54,27 +54,32 @@ func WebhookAuth() echo.MiddlewareFunc {
 				})
 			}
 
-		userID := c.Request().Header.Get("X-User-ID")
-		email := c.Request().Header.Get("X-Email")
-		orgID := c.Request().Header.Get("X-Org-ID")
+	userID := c.Request().Header.Get("X-User-ID")
+	email := c.Request().Header.Get("X-Email")
+	orgID := c.Request().Header.Get("X-Org-ID")
 
-		// Skip org validation for create org endpoint
-		isCreateOrg := c.Request().Method == http.MethodPost && c.Path() == "/internal/api/orgs"
+	// Skip org validation for endpoints that don't require existing org
+	path := c.Request().URL.Path
+	method := c.Request().Method
+	skipOrgHeader := (method == http.MethodPost && path == "/internal/api/orgs") ||
+		(method == http.MethodPost && path == "/internal/api/orgs/sync") ||
+		(method == http.MethodGet && path == "/internal/api/orgs") ||
+		(method == http.MethodGet && path == "/internal/api/orgs/user")
 
-		if userID == "" {
+	if userID == "" {
+		return c.JSON(http.StatusBadRequest, map[string]string{
+			"error": "X-User-ID header required",
+		})
+	}
+	
+	// Require org ID for all requests except org creation/listing
+	if !skipOrgHeader {
+		if orgID == "" {
 			return c.JSON(http.StatusBadRequest, map[string]string{
-				"error": "X-User-ID header required",
+				"error": "X-Org-ID header required",
 			})
 		}
-		
-		// Require org UUID for all requests except create org
-		if !isCreateOrg {
-			if orgID == "" {
-				return c.JSON(http.StatusBadRequest, map[string]string{
-					"error": "X-Org-ID header required",
-				})
-			}
-		}
+	}
 
 		principal := rbac.Principal{
 			Subject: userID,
diff --git a/taco/internal/repositories/identifier_resolver.go b/taco/internal/repositories/identifier_resolver.go
@@ -3,7 +3,6 @@ package repositories
 import (
 	"context"
 	"fmt"
-	"strings"
 
 	"github.com/diggerhq/digger/opentaco/internal/domain"
 	"gorm.io/gorm"
@@ -39,9 +38,9 @@ func (r *gormIdentifierResolver) ResolveOrganization(ctx context.Context, identi
 		return parsed.UUID, nil
 	}
 	
-	
-	// If not found by name, try external org ID
-	// This handles cases where someone passes an external ID directly
+	// Try to resolve by external org ID
+	// Names are NOT unique, so we only support UUID or external org ID
+	var result struct{ ID string }
 	err = r.db.WithContext(ctx).
 		Table("organizations").
 		Select("id").
@@ -52,7 +51,11 @@ func (r *gormIdentifierResolver) ResolveOrganization(ctx context.Context, identi
 		return result.ID, nil
 	}
 	
-	return "", fmt.Errorf("organization not found: %s", parsed.Name)
+	if err == gorm.ErrRecordNotFound {
+		return "", fmt.Errorf("organization not found with external ID: %s (names are not unique and cannot be resolved)", parsed.Name)
+	}
+	
+	return "", fmt.Errorf("failed to resolve organization: %w", err)
 }
 
 // ResolveUnit resolves unit identifier to UUID within an organization
diff --git a/taco/internal/repositories/org_repository.go b/taco/internal/repositories/org_repository.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"strings"
 	"time"
 
 	"github.com/diggerhq/digger/opentaco/internal/domain"
@@ -19,6 +20,10 @@ type orgRepository struct {
 	db *gorm.DB
 }
 
+const (
+	queryOrgByName = "name = ?"
+)
+
 // Helper function to safely get string value from pointer
 func getStringValue(ptr *string) string {
 	if ptr == nil {
